I’m sure developers can figure out ways to make sure their phones aren’t trojaned, and they can obviously root and install whatever firmware they want on their phones. The question is how a normal user downloading firmware from Huawei’s or ZTE’s website using the firmware update button on the phone can check whether those updates have been seeded with malware.
The update file you download (probably from huaweidl.com) will probably be a zip file that contains your new firmware and another file that ends with an .md5 extension. That .md5 file is a text file that contains a 32 character string that you match to the string you get when you check the md5 checksum of the firmware file that you downloaded.
To double check you can go to the appropriate forum for your phone on xda-developers.com and match the md5 checksum of the firmware the developers there are using to the one that you downloaded - but that is only for the truly paranoid (like me.)
Huawei is known for their support in the open source community and they would never knowingly provide an infected download as that is a one strike and you are forever out kind of offense - and an offense that the experts there would almost surely catch. As long as you are using the same firmware as the devs at xda (as verified by the md5 checksums) then you are as safe as you (as a user) are ever going to be.